zoe
zoe copied to clipboard
adevinta
π zoe installed as a chocolatey package π
π Context
Hi, I'm a Kafka user and was looking for a good tool. I first found Conduktor. But licence was too restructive. Si I started to find a another tool. Then I discovered zoe.
Most of my collaborators are running under windows and I needed them to optimize zoe adoption. Therefore I needed a more straightforward install path for windows users.
Finally I created a Chocolatey pakage so install process would be as simple as :
choco install zoe
πContribution
Hopefully you'll appreciated this modest contribution to your great software that really fits our needs. I also may create feature requests or produce code base contribution if you may interested with that.
I 've dropped :
- a badge on your
README - a dedicated section in the install topic.
Best Regards, Adrien
Hi @adriens! This sounds awesome, thanks for the suggestion and the contribution. Really appreciate it.
How is the package made available in chocolatey? Did you upload it manually? I'm trying to understand how this works because I think we should automate the whole process including the upload to chocolatey repositories. What do you think?
Hi wlezzar, yep, the whole process is CI driven and automated so it does not require me much effort to keep the package up-to-date.
Here is the CI status :
In fact, the only thing to do is to update zoe.properties with the proper target version and make a PR π .
π‘ What would be amazing would to make a cross repos GH worflow that makes a PR to my repo once you have released by your side. What you think about that ? π‘
Here are the Guidelines.
Also, it's very important to notice that each time someone install the zoe choco package, it downloads binaries from your GH repo so the GH download stats are updated. The choco package is just an installer that uses your official assets to simplify the install process.
Sorry for the delay @adriens . This triggered some discussions within Adevinta security wise. This would definitely be a super useful addition to Zoe. Is it somehow possible to contribute these CI scripts into this repository? This is a requirement before we can add this to the docs as an official install procedure. What do you think?
No worry for delay.
For security, it's guaranteed by jar sha in fact, that act as a proof noone did corrupt them. Also choco moderation process includes an antivirus scan. So the package is totally transparent with the fact that it really installs the target software, that is downloaded from official GH Software repo... and nothing more.
In fact, it's a very common pattern on chocolatey community and open source software, for example most apache spftware choco packages are not maintained by apache but by contributors : https://community.chocolatey.org/packages/maven
So, sorry, but I don't really understand what's about the security issue, could you please be more specific ?
The security issue that I mentioned concerns the fact that the chocolatey package / CI in its current version is maintained in a third party repository for which the maintainers of this repo has no control of. I understand that the package is protected by SHA checks but if the repo / source of the package is not minimally controlled by the Adevinta, it's not possible to provide guarantees. Does that make sense?
What I suggest is that I can create a new repository adevinta/chocolatey-zoe, put you a contributor there and you can put the chocolatey CI there. What do you think? It's a bit the same pattern we did for the Homebrew package.
Once we create that repo and the CI is there, we can add the info on the documentation and merge this PR.
Hmm, yes, I understand.
What I suggest is that I can create a new repository adevinta/chocolatey-zoe, put you a contributor there and you can put the chocolatey CI there.
Yes, that looks pretty interesting. I even have a better (in my sense) proposal : what would you say if I was transfering you the ownership of the actaul repo ? SO, No lost of code history. Next, you 'll be able to add me as a contributor if you're ok with that.
In a second step, we'll have to check the AppVeyor par as well as the maintainer privileges on choco website.
What do you think about that plan ? πΈ
Sounds like a very good plan : ) . Let's do that π. As soon as I have the ownership of the repo, i will transfer it under the name of Adevinta and I will add you as a contributor